tomcat_enum requires the admin web app package for it to work, but
by default many Apache Tomcat don't actually have this. The module
should check that first before trying usernames.
[FixRM 6264], see:
http://dev.metasploit.com/redmine/issues/6264
I also made changes to do_login in order to verify successful/bad
attempts more specific.
* Unset default username and password
* Register SSL as a DefaultOption instead of redefining it
* Use the HttpClient mixin `ssl` instead of datastore.
* Unless is better than if !
* Try to store loot even if you can't cleanup the site ID.
Added code to check successful conn first, so now if there is no connectivity on target port, script aborts run.
New check to ensure 'set-cookie' is set by the app as expected, before any further fingerprinting & b-f starts.
If the app is not Ironport, 'set-cookie' will not be set & remains null, and so script aborts run.
De-registered 'TARGETURI.'
Registered 'username' and 'password' with default value.
Changed some run messages.
And lastly, changed the csrf key piece cos I miss a cold beer right now.
There was a disaster of a merge at 6f37cf22eb that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).
What this commit does is simulate a hard reset, by doing thing:
git checkout -b reset-hard-ohmu
git reset --hard 593363c5f9
git checkout upstream-master
git checkout -b revert-via-diff
git diff --no-prefix upstream-master..reset-hard-ohmy > patch
patch -p0 < patch
Since there was one binary change, also did this:
git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf
Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.
This module exploits a mass assignment vulnerability in the 'create'
action of 'users' controller of Foreman and Red Hat OpenStack/Satellite
(Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator
account.
[SeeRM:#1233] - This is an upgrade based on ringt's code in PR #2017.
As a pentester, it's useful to obtain additional information such as
device type, access rights, folders, and files, etc when doing a share
enumeration. I have also enhanced exception handling to avoid shutting
errors up, which is better for debugging purposes.
sinn3r
jvazquez-r7
Tod Beardsley
Brandon Perry
Karn Ganeshen
HD Moore
William Vu
Rich Lundeen
Ramon de C Valle